2023-09-14 08:28:24 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
|
/*
|
|
|
|
* Linear symmetric key cipher operations.
|
|
|
|
*
|
|
|
|
* Generic encrypt/decrypt wrapper for ciphers.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2023 Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/cryptouser.h>
|
|
|
|
#include <linux/err.h>
|
|
|
|
#include <linux/export.h>
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/string.h>
|
|
|
|
#include <net/netlink.h>
|
|
|
|
#include "skcipher.h"
|
|
|
|
|
|
|
|
static inline struct crypto_lskcipher *__crypto_lskcipher_cast(
|
|
|
|
struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
return container_of(tfm, struct crypto_lskcipher, base);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline struct lskcipher_alg *__crypto_lskcipher_alg(
|
|
|
|
struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
return container_of(alg, struct lskcipher_alg, co.base);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int lskcipher_setkey_unaligned(struct crypto_lskcipher *tfm,
|
|
|
|
const u8 *key, unsigned int keylen)
|
|
|
|
{
|
|
|
|
unsigned long alignmask = crypto_lskcipher_alignmask(tfm);
|
|
|
|
struct lskcipher_alg *cipher = crypto_lskcipher_alg(tfm);
|
|
|
|
u8 *buffer, *alignbuffer;
|
|
|
|
unsigned long absize;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
absize = keylen + alignmask;
|
|
|
|
buffer = kmalloc(absize, GFP_ATOMIC);
|
|
|
|
if (!buffer)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
alignbuffer = (u8 *)ALIGN((unsigned long)buffer, alignmask + 1);
|
|
|
|
memcpy(alignbuffer, key, keylen);
|
|
|
|
ret = cipher->setkey(tfm, alignbuffer, keylen);
|
|
|
|
kfree_sensitive(buffer);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_lskcipher_setkey(struct crypto_lskcipher *tfm, const u8 *key,
|
|
|
|
unsigned int keylen)
|
|
|
|
{
|
|
|
|
unsigned long alignmask = crypto_lskcipher_alignmask(tfm);
|
|
|
|
struct lskcipher_alg *cipher = crypto_lskcipher_alg(tfm);
|
|
|
|
|
|
|
|
if (keylen < cipher->co.min_keysize || keylen > cipher->co.max_keysize)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if ((unsigned long)key & alignmask)
|
|
|
|
return lskcipher_setkey_unaligned(tfm, key, keylen);
|
|
|
|
else
|
|
|
|
return cipher->setkey(tfm, key, keylen);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_lskcipher_setkey);
|
|
|
|
|
|
|
|
static int crypto_lskcipher_crypt_unaligned(
|
|
|
|
struct crypto_lskcipher *tfm, const u8 *src, u8 *dst, unsigned len,
|
|
|
|
u8 *iv, int (*crypt)(struct crypto_lskcipher *tfm, const u8 *src,
|
crypto: skcipher - Add internal state support
Unlike chaining modes such as CBC, stream ciphers other than CTR
usually hold an internal state that must be preserved if the
operation is to be done piecemeal. This has not been represented
in the API, resulting in the inability to split up stream cipher
operations.
This patch adds the basic representation of an internal state to
skcipher and lskcipher. In the interest of backwards compatibility,
the default has been set such that existing users are assumed to
be operating in one go as opposed to piecemeal.
With the new API, each lskcipher/skcipher algorithm has a new
attribute called statesize. For skcipher, this is the size of
the buffer that can be exported or imported similar to ahash.
For lskcipher, instead of providing a buffer of ivsize, the user
now has to provide a buffer of ivsize + statesize.
Each skcipher operation is assumed to be final as they are now,
but this may be overridden with a request flag. When the override
occurs, the user may then export the partial state and reimport
it later.
For lskcipher operations this is reversed. All operations are
not final and the state will be exported unless the FINAL bit is
set. However, the CONT bit still has to be set for the state
to be used.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-11-27 10:14:08 +00:00
|
|
|
u8 *dst, unsigned len, u8 *iv, u32 flags))
|
2023-09-14 08:28:24 +00:00
|
|
|
{
|
2023-11-28 06:33:19 +00:00
|
|
|
unsigned statesize = crypto_lskcipher_statesize(tfm);
|
2023-09-14 08:28:24 +00:00
|
|
|
unsigned ivsize = crypto_lskcipher_ivsize(tfm);
|
|
|
|
unsigned bs = crypto_lskcipher_blocksize(tfm);
|
|
|
|
unsigned cs = crypto_lskcipher_chunksize(tfm);
|
|
|
|
int err;
|
|
|
|
u8 *tiv;
|
|
|
|
u8 *p;
|
|
|
|
|
|
|
|
BUILD_BUG_ON(MAX_CIPHER_BLOCKSIZE > PAGE_SIZE ||
|
|
|
|
MAX_CIPHER_ALIGNMASK >= PAGE_SIZE);
|
|
|
|
|
|
|
|
tiv = kmalloc(PAGE_SIZE, GFP_ATOMIC);
|
|
|
|
if (!tiv)
|
|
|
|
return -ENOMEM;
|
|
|
|
|
2023-11-28 06:33:19 +00:00
|
|
|
memcpy(tiv, iv, ivsize + statesize);
|
2023-09-14 08:28:24 +00:00
|
|
|
|
|
|
|
p = kmalloc(PAGE_SIZE, GFP_ATOMIC);
|
|
|
|
err = -ENOMEM;
|
|
|
|
if (!p)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
while (len >= bs) {
|
|
|
|
unsigned chunk = min((unsigned)PAGE_SIZE, len);
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (chunk > cs)
|
|
|
|
chunk &= ~(cs - 1);
|
|
|
|
|
|
|
|
memcpy(p, src, chunk);
|
crypto: skcipher - Add internal state support
Unlike chaining modes such as CBC, stream ciphers other than CTR
usually hold an internal state that must be preserved if the
operation is to be done piecemeal. This has not been represented
in the API, resulting in the inability to split up stream cipher
operations.
This patch adds the basic representation of an internal state to
skcipher and lskcipher. In the interest of backwards compatibility,
the default has been set such that existing users are assumed to
be operating in one go as opposed to piecemeal.
With the new API, each lskcipher/skcipher algorithm has a new
attribute called statesize. For skcipher, this is the size of
the buffer that can be exported or imported similar to ahash.
For lskcipher, instead of providing a buffer of ivsize, the user
now has to provide a buffer of ivsize + statesize.
Each skcipher operation is assumed to be final as they are now,
but this may be overridden with a request flag. When the override
occurs, the user may then export the partial state and reimport
it later.
For lskcipher operations this is reversed. All operations are
not final and the state will be exported unless the FINAL bit is
set. However, the CONT bit still has to be set for the state
to be used.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-11-27 10:14:08 +00:00
|
|
|
err = crypt(tfm, p, p, chunk, tiv, CRYPTO_LSKCIPHER_FLAG_FINAL);
|
2023-09-14 08:28:24 +00:00
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
memcpy(dst, p, chunk);
|
|
|
|
src += chunk;
|
|
|
|
dst += chunk;
|
|
|
|
len -= chunk;
|
|
|
|
}
|
|
|
|
|
|
|
|
err = len ? -EINVAL : 0;
|
|
|
|
|
|
|
|
out:
|
2023-11-28 06:33:19 +00:00
|
|
|
memcpy(iv, tiv, ivsize + statesize);
|
2023-09-14 08:28:24 +00:00
|
|
|
kfree_sensitive(p);
|
|
|
|
kfree_sensitive(tiv);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int crypto_lskcipher_crypt(struct crypto_lskcipher *tfm, const u8 *src,
|
|
|
|
u8 *dst, unsigned len, u8 *iv,
|
|
|
|
int (*crypt)(struct crypto_lskcipher *tfm,
|
|
|
|
const u8 *src, u8 *dst,
|
|
|
|
unsigned len, u8 *iv,
|
crypto: skcipher - Add internal state support
Unlike chaining modes such as CBC, stream ciphers other than CTR
usually hold an internal state that must be preserved if the
operation is to be done piecemeal. This has not been represented
in the API, resulting in the inability to split up stream cipher
operations.
This patch adds the basic representation of an internal state to
skcipher and lskcipher. In the interest of backwards compatibility,
the default has been set such that existing users are assumed to
be operating in one go as opposed to piecemeal.
With the new API, each lskcipher/skcipher algorithm has a new
attribute called statesize. For skcipher, this is the size of
the buffer that can be exported or imported similar to ahash.
For lskcipher, instead of providing a buffer of ivsize, the user
now has to provide a buffer of ivsize + statesize.
Each skcipher operation is assumed to be final as they are now,
but this may be overridden with a request flag. When the override
occurs, the user may then export the partial state and reimport
it later.
For lskcipher operations this is reversed. All operations are
not final and the state will be exported unless the FINAL bit is
set. However, the CONT bit still has to be set for the state
to be used.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-11-27 10:14:08 +00:00
|
|
|
u32 flags))
|
2023-09-14 08:28:24 +00:00
|
|
|
{
|
|
|
|
unsigned long alignmask = crypto_lskcipher_alignmask(tfm);
|
|
|
|
|
|
|
|
if (((unsigned long)src | (unsigned long)dst | (unsigned long)iv) &
|
crypto: remove CONFIG_CRYPTO_STATS
Remove support for the "Crypto usage statistics" feature
(CONFIG_CRYPTO_STATS). This feature does not appear to have ever been
used, and it is harmful because it significantly reduces performance and
is a large maintenance burden.
Covering each of these points in detail:
1. Feature is not being used
Since these generic crypto statistics are only readable using netlink,
it's fairly straightforward to look for programs that use them. I'm
unable to find any evidence that any such programs exist. For example,
Debian Code Search returns no hits except the kernel header and kernel
code itself and translations of the kernel header:
https://codesearch.debian.net/search?q=CRYPTOCFGA_STAT&literal=1&perpkg=1
The patch series that added this feature in 2018
(https://lore.kernel.org/linux-crypto/1537351855-16618-1-git-send-email-clabbe@baylibre.com/)
said "The goal is to have an ifconfig for crypto device." This doesn't
appear to have happened.
It's not clear that there is real demand for crypto statistics. Just
because the kernel provides other types of statistics such as I/O and
networking statistics and some people find those useful does not mean
that crypto statistics are useful too.
Further evidence that programs are not using CONFIG_CRYPTO_STATS is that
it was able to be disabled in RHEL and Fedora as a bug fix
(https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2947).
Even further evidence comes from the fact that there are and have been
bugs in how the stats work, but they were never reported. For example,
before Linux v6.7 hash stats were double-counted in most cases.
There has also never been any documentation for this feature, so it
might be hard to use even if someone wanted to.
2. CONFIG_CRYPTO_STATS significantly reduces performance
Enabling CONFIG_CRYPTO_STATS significantly reduces the performance of
the crypto API, even if no program ever retrieves the statistics. This
primarily affects systems with a large number of CPUs. For example,
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039576 reported
that Lustre client encryption performance improved from 21.7GB/s to
48.2GB/s by disabling CONFIG_CRYPTO_STATS.
It can be argued that this means that CONFIG_CRYPTO_STATS should be
optimized with per-cpu counters similar to many of the networking
counters. But no one has done this in 5+ years. This is consistent
with the fact that the feature appears to be unused, so there seems to
be little interest in improving it as opposed to just disabling it.
It can be argued that because CONFIG_CRYPTO_STATS is off by default,
performance doesn't matter. But Linux distros tend to error on the side
of enabling options. The option is enabled in Ubuntu and Arch Linux,
and until recently was enabled in RHEL and Fedora (see above). So, even
just having the option available is harmful to users.
3. CONFIG_CRYPTO_STATS is a large maintenance burden
There are over 1000 lines of code associated with CONFIG_CRYPTO_STATS,
spread among 32 files. It significantly complicates much of the
implementation of the crypto API. After the initial submission, many
fixes and refactorings have consumed effort of multiple people to keep
this feature "working". We should be spending this effort elsewhere.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-03-13 03:48:21 +00:00
|
|
|
alignmask)
|
|
|
|
return crypto_lskcipher_crypt_unaligned(tfm, src, dst, len, iv,
|
|
|
|
crypt);
|
2023-09-14 08:28:24 +00:00
|
|
|
|
crypto: remove CONFIG_CRYPTO_STATS
Remove support for the "Crypto usage statistics" feature
(CONFIG_CRYPTO_STATS). This feature does not appear to have ever been
used, and it is harmful because it significantly reduces performance and
is a large maintenance burden.
Covering each of these points in detail:
1. Feature is not being used
Since these generic crypto statistics are only readable using netlink,
it's fairly straightforward to look for programs that use them. I'm
unable to find any evidence that any such programs exist. For example,
Debian Code Search returns no hits except the kernel header and kernel
code itself and translations of the kernel header:
https://codesearch.debian.net/search?q=CRYPTOCFGA_STAT&literal=1&perpkg=1
The patch series that added this feature in 2018
(https://lore.kernel.org/linux-crypto/1537351855-16618-1-git-send-email-clabbe@baylibre.com/)
said "The goal is to have an ifconfig for crypto device." This doesn't
appear to have happened.
It's not clear that there is real demand for crypto statistics. Just
because the kernel provides other types of statistics such as I/O and
networking statistics and some people find those useful does not mean
that crypto statistics are useful too.
Further evidence that programs are not using CONFIG_CRYPTO_STATS is that
it was able to be disabled in RHEL and Fedora as a bug fix
(https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/2947).
Even further evidence comes from the fact that there are and have been
bugs in how the stats work, but they were never reported. For example,
before Linux v6.7 hash stats were double-counted in most cases.
There has also never been any documentation for this feature, so it
might be hard to use even if someone wanted to.
2. CONFIG_CRYPTO_STATS significantly reduces performance
Enabling CONFIG_CRYPTO_STATS significantly reduces the performance of
the crypto API, even if no program ever retrieves the statistics. This
primarily affects systems with a large number of CPUs. For example,
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2039576 reported
that Lustre client encryption performance improved from 21.7GB/s to
48.2GB/s by disabling CONFIG_CRYPTO_STATS.
It can be argued that this means that CONFIG_CRYPTO_STATS should be
optimized with per-cpu counters similar to many of the networking
counters. But no one has done this in 5+ years. This is consistent
with the fact that the feature appears to be unused, so there seems to
be little interest in improving it as opposed to just disabling it.
It can be argued that because CONFIG_CRYPTO_STATS is off by default,
performance doesn't matter. But Linux distros tend to error on the side
of enabling options. The option is enabled in Ubuntu and Arch Linux,
and until recently was enabled in RHEL and Fedora (see above). So, even
just having the option available is harmful to users.
3. CONFIG_CRYPTO_STATS is a large maintenance burden
There are over 1000 lines of code associated with CONFIG_CRYPTO_STATS,
spread among 32 files. It significantly complicates much of the
implementation of the crypto API. After the initial submission, many
fixes and refactorings have consumed effort of multiple people to keep
this feature "working". We should be spending this effort elsewhere.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2024-03-13 03:48:21 +00:00
|
|
|
return crypt(tfm, src, dst, len, iv, CRYPTO_LSKCIPHER_FLAG_FINAL);
|
2023-09-14 08:28:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_lskcipher_encrypt(struct crypto_lskcipher *tfm, const u8 *src,
|
|
|
|
u8 *dst, unsigned len, u8 *iv)
|
|
|
|
{
|
|
|
|
struct lskcipher_alg *alg = crypto_lskcipher_alg(tfm);
|
|
|
|
|
|
|
|
return crypto_lskcipher_crypt(tfm, src, dst, len, iv, alg->encrypt);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_lskcipher_encrypt);
|
|
|
|
|
|
|
|
int crypto_lskcipher_decrypt(struct crypto_lskcipher *tfm, const u8 *src,
|
|
|
|
u8 *dst, unsigned len, u8 *iv)
|
|
|
|
{
|
|
|
|
struct lskcipher_alg *alg = crypto_lskcipher_alg(tfm);
|
|
|
|
|
|
|
|
return crypto_lskcipher_crypt(tfm, src, dst, len, iv, alg->decrypt);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_lskcipher_decrypt);
|
|
|
|
|
|
|
|
static int crypto_lskcipher_crypt_sg(struct skcipher_request *req,
|
|
|
|
int (*crypt)(struct crypto_lskcipher *tfm,
|
|
|
|
const u8 *src, u8 *dst,
|
2023-11-28 06:33:19 +00:00
|
|
|
unsigned len, u8 *ivs,
|
crypto: skcipher - Add internal state support
Unlike chaining modes such as CBC, stream ciphers other than CTR
usually hold an internal state that must be preserved if the
operation is to be done piecemeal. This has not been represented
in the API, resulting in the inability to split up stream cipher
operations.
This patch adds the basic representation of an internal state to
skcipher and lskcipher. In the interest of backwards compatibility,
the default has been set such that existing users are assumed to
be operating in one go as opposed to piecemeal.
With the new API, each lskcipher/skcipher algorithm has a new
attribute called statesize. For skcipher, this is the size of
the buffer that can be exported or imported similar to ahash.
For lskcipher, instead of providing a buffer of ivsize, the user
now has to provide a buffer of ivsize + statesize.
Each skcipher operation is assumed to be final as they are now,
but this may be overridden with a request flag. When the override
occurs, the user may then export the partial state and reimport
it later.
For lskcipher operations this is reversed. All operations are
not final and the state will be exported unless the FINAL bit is
set. However, the CONT bit still has to be set for the state
to be used.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2023-11-27 10:14:08 +00:00
|
|
|
u32 flags))
|
2023-09-14 08:28:24 +00:00
|
|
|
{
|
|
|
|
struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
|
|
|
|
struct crypto_lskcipher **ctx = crypto_skcipher_ctx(skcipher);
|
2023-11-28 06:33:19 +00:00
|
|
|
u8 *ivs = skcipher_request_ctx(req);
|
2023-09-14 08:28:24 +00:00
|
|
|
struct crypto_lskcipher *tfm = *ctx;
|
|
|
|
struct skcipher_walk walk;
|
2023-11-28 06:33:19 +00:00
|
|
|
unsigned ivsize;
|
|
|
|
u32 flags;
|
2023-09-14 08:28:24 +00:00
|
|
|
int err;
|
|
|
|
|
2023-11-28 06:33:19 +00:00
|
|
|
ivsize = crypto_lskcipher_ivsize(tfm);
|
|
|
|
ivs = PTR_ALIGN(ivs, crypto_skcipher_alignmask(skcipher) + 1);
|
2024-02-21 09:07:44 +00:00
|
|
|
memcpy(ivs, req->iv, ivsize);
|
2023-11-28 06:33:19 +00:00
|
|
|
|
|
|
|
flags = req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP;
|
|
|
|
|
|
|
|
if (req->base.flags & CRYPTO_SKCIPHER_REQ_CONT)
|
|
|
|
flags |= CRYPTO_LSKCIPHER_FLAG_CONT;
|
|
|
|
|
|
|
|
if (!(req->base.flags & CRYPTO_SKCIPHER_REQ_NOTFINAL))
|
|
|
|
flags |= CRYPTO_LSKCIPHER_FLAG_FINAL;
|
|
|
|
|
2023-09-14 08:28:24 +00:00
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
|
|
|
|
|
|
|
while (walk.nbytes) {
|
|
|
|
err = crypt(tfm, walk.src.virt.addr, walk.dst.virt.addr,
|
2023-11-28 06:33:19 +00:00
|
|
|
walk.nbytes, ivs,
|
|
|
|
flags & ~(walk.nbytes == walk.total ?
|
|
|
|
0 : CRYPTO_LSKCIPHER_FLAG_FINAL));
|
2023-09-14 08:28:24 +00:00
|
|
|
err = skcipher_walk_done(&walk, err);
|
2023-11-28 06:33:19 +00:00
|
|
|
flags |= CRYPTO_LSKCIPHER_FLAG_CONT;
|
2023-09-14 08:28:24 +00:00
|
|
|
}
|
|
|
|
|
2024-02-21 09:07:44 +00:00
|
|
|
memcpy(req->iv, ivs, ivsize);
|
2023-11-28 06:33:19 +00:00
|
|
|
|
2023-09-14 08:28:24 +00:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_lskcipher_encrypt_sg(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
|
|
|
|
struct crypto_lskcipher **ctx = crypto_skcipher_ctx(skcipher);
|
|
|
|
struct lskcipher_alg *alg = crypto_lskcipher_alg(*ctx);
|
|
|
|
|
|
|
|
return crypto_lskcipher_crypt_sg(req, alg->encrypt);
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_lskcipher_decrypt_sg(struct skcipher_request *req)
|
|
|
|
{
|
|
|
|
struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req);
|
|
|
|
struct crypto_lskcipher **ctx = crypto_skcipher_ctx(skcipher);
|
|
|
|
struct lskcipher_alg *alg = crypto_lskcipher_alg(*ctx);
|
|
|
|
|
|
|
|
return crypto_lskcipher_crypt_sg(req, alg->decrypt);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void crypto_lskcipher_exit_tfm(struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
struct crypto_lskcipher *skcipher = __crypto_lskcipher_cast(tfm);
|
|
|
|
struct lskcipher_alg *alg = crypto_lskcipher_alg(skcipher);
|
|
|
|
|
|
|
|
alg->exit(skcipher);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int crypto_lskcipher_init_tfm(struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
struct crypto_lskcipher *skcipher = __crypto_lskcipher_cast(tfm);
|
|
|
|
struct lskcipher_alg *alg = crypto_lskcipher_alg(skcipher);
|
|
|
|
|
|
|
|
if (alg->exit)
|
|
|
|
skcipher->base.exit = crypto_lskcipher_exit_tfm;
|
|
|
|
|
|
|
|
if (alg->init)
|
|
|
|
return alg->init(skcipher);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void crypto_lskcipher_free_instance(struct crypto_instance *inst)
|
|
|
|
{
|
|
|
|
struct lskcipher_instance *skcipher =
|
|
|
|
container_of(inst, struct lskcipher_instance, s.base);
|
|
|
|
|
|
|
|
skcipher->free(skcipher);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __maybe_unused crypto_lskcipher_show(
|
|
|
|
struct seq_file *m, struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct lskcipher_alg *skcipher = __crypto_lskcipher_alg(alg);
|
|
|
|
|
|
|
|
seq_printf(m, "type : lskcipher\n");
|
|
|
|
seq_printf(m, "blocksize : %u\n", alg->cra_blocksize);
|
|
|
|
seq_printf(m, "min keysize : %u\n", skcipher->co.min_keysize);
|
|
|
|
seq_printf(m, "max keysize : %u\n", skcipher->co.max_keysize);
|
|
|
|
seq_printf(m, "ivsize : %u\n", skcipher->co.ivsize);
|
|
|
|
seq_printf(m, "chunksize : %u\n", skcipher->co.chunksize);
|
2023-11-28 06:33:19 +00:00
|
|
|
seq_printf(m, "statesize : %u\n", skcipher->co.statesize);
|
2023-09-14 08:28:24 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int __maybe_unused crypto_lskcipher_report(
|
|
|
|
struct sk_buff *skb, struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct lskcipher_alg *skcipher = __crypto_lskcipher_alg(alg);
|
|
|
|
struct crypto_report_blkcipher rblkcipher;
|
|
|
|
|
|
|
|
memset(&rblkcipher, 0, sizeof(rblkcipher));
|
|
|
|
|
|
|
|
strscpy(rblkcipher.type, "lskcipher", sizeof(rblkcipher.type));
|
|
|
|
strscpy(rblkcipher.geniv, "<none>", sizeof(rblkcipher.geniv));
|
|
|
|
|
|
|
|
rblkcipher.blocksize = alg->cra_blocksize;
|
|
|
|
rblkcipher.min_keysize = skcipher->co.min_keysize;
|
|
|
|
rblkcipher.max_keysize = skcipher->co.max_keysize;
|
|
|
|
rblkcipher.ivsize = skcipher->co.ivsize;
|
|
|
|
|
|
|
|
return nla_put(skb, CRYPTOCFGA_REPORT_BLKCIPHER,
|
|
|
|
sizeof(rblkcipher), &rblkcipher);
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct crypto_type crypto_lskcipher_type = {
|
|
|
|
.extsize = crypto_alg_extsize,
|
|
|
|
.init_tfm = crypto_lskcipher_init_tfm,
|
|
|
|
.free = crypto_lskcipher_free_instance,
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
|
|
.show = crypto_lskcipher_show,
|
|
|
|
#endif
|
|
|
|
#if IS_ENABLED(CONFIG_CRYPTO_USER)
|
|
|
|
.report = crypto_lskcipher_report,
|
|
|
|
#endif
|
|
|
|
.maskclear = ~CRYPTO_ALG_TYPE_MASK,
|
|
|
|
.maskset = CRYPTO_ALG_TYPE_MASK,
|
|
|
|
.type = CRYPTO_ALG_TYPE_LSKCIPHER,
|
|
|
|
.tfmsize = offsetof(struct crypto_lskcipher, base),
|
|
|
|
};
|
|
|
|
|
|
|
|
static void crypto_lskcipher_exit_tfm_sg(struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
struct crypto_lskcipher **ctx = crypto_tfm_ctx(tfm);
|
|
|
|
|
|
|
|
crypto_free_lskcipher(*ctx);
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_init_lskcipher_ops_sg(struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
struct crypto_lskcipher **ctx = crypto_tfm_ctx(tfm);
|
|
|
|
struct crypto_alg *calg = tfm->__crt_alg;
|
|
|
|
struct crypto_lskcipher *skcipher;
|
|
|
|
|
|
|
|
if (!crypto_mod_get(calg))
|
|
|
|
return -EAGAIN;
|
|
|
|
|
|
|
|
skcipher = crypto_create_tfm(calg, &crypto_lskcipher_type);
|
|
|
|
if (IS_ERR(skcipher)) {
|
|
|
|
crypto_mod_put(calg);
|
|
|
|
return PTR_ERR(skcipher);
|
|
|
|
}
|
|
|
|
|
|
|
|
*ctx = skcipher;
|
|
|
|
tfm->exit = crypto_lskcipher_exit_tfm_sg;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_grab_lskcipher(struct crypto_lskcipher_spawn *spawn,
|
|
|
|
struct crypto_instance *inst,
|
|
|
|
const char *name, u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
spawn->base.frontend = &crypto_lskcipher_type;
|
|
|
|
return crypto_grab_spawn(&spawn->base, inst, name, type, mask);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_grab_lskcipher);
|
|
|
|
|
|
|
|
struct crypto_lskcipher *crypto_alloc_lskcipher(const char *alg_name,
|
|
|
|
u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
return crypto_alloc_tfm(alg_name, &crypto_lskcipher_type, type, mask);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_alloc_lskcipher);
|
|
|
|
|
|
|
|
static int lskcipher_prepare_alg(struct lskcipher_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_alg *base = &alg->co.base;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = skcipher_prepare_alg_common(&alg->co);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
if (alg->co.chunksize & (alg->co.chunksize - 1))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
base->cra_type = &crypto_lskcipher_type;
|
|
|
|
base->cra_flags |= CRYPTO_ALG_TYPE_LSKCIPHER;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int crypto_register_lskcipher(struct lskcipher_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_alg *base = &alg->co.base;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
err = lskcipher_prepare_alg(alg);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
return crypto_register_alg(base);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_lskcipher);
|
|
|
|
|
|
|
|
void crypto_unregister_lskcipher(struct lskcipher_alg *alg)
|
|
|
|
{
|
|
|
|
crypto_unregister_alg(&alg->co.base);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_lskcipher);
|
|
|
|
|
|
|
|
int crypto_register_lskciphers(struct lskcipher_alg *algs, int count)
|
|
|
|
{
|
|
|
|
int i, ret;
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++) {
|
|
|
|
ret = crypto_register_lskcipher(&algs[i]);
|
|
|
|
if (ret)
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err:
|
|
|
|
for (--i; i >= 0; --i)
|
|
|
|
crypto_unregister_lskcipher(&algs[i]);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_lskciphers);
|
|
|
|
|
|
|
|
void crypto_unregister_lskciphers(struct lskcipher_alg *algs, int count)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = count - 1; i >= 0; --i)
|
|
|
|
crypto_unregister_lskcipher(&algs[i]);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_lskciphers);
|
|
|
|
|
|
|
|
int lskcipher_register_instance(struct crypto_template *tmpl,
|
|
|
|
struct lskcipher_instance *inst)
|
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (WARN_ON(!inst->free))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
err = lskcipher_prepare_alg(&inst->alg);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
return crypto_register_instance(tmpl, lskcipher_crypto_instance(inst));
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(lskcipher_register_instance);
|
|
|
|
|
|
|
|
static int lskcipher_setkey_simple(struct crypto_lskcipher *tfm, const u8 *key,
|
|
|
|
unsigned int keylen)
|
|
|
|
{
|
|
|
|
struct crypto_lskcipher *cipher = lskcipher_cipher_simple(tfm);
|
|
|
|
|
|
|
|
crypto_lskcipher_clear_flags(cipher, CRYPTO_TFM_REQ_MASK);
|
|
|
|
crypto_lskcipher_set_flags(cipher, crypto_lskcipher_get_flags(tfm) &
|
|
|
|
CRYPTO_TFM_REQ_MASK);
|
|
|
|
return crypto_lskcipher_setkey(cipher, key, keylen);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int lskcipher_init_tfm_simple(struct crypto_lskcipher *tfm)
|
|
|
|
{
|
|
|
|
struct lskcipher_instance *inst = lskcipher_alg_instance(tfm);
|
|
|
|
struct crypto_lskcipher **ctx = crypto_lskcipher_ctx(tfm);
|
|
|
|
struct crypto_lskcipher_spawn *spawn;
|
|
|
|
struct crypto_lskcipher *cipher;
|
|
|
|
|
|
|
|
spawn = lskcipher_instance_ctx(inst);
|
|
|
|
cipher = crypto_spawn_lskcipher(spawn);
|
|
|
|
if (IS_ERR(cipher))
|
|
|
|
return PTR_ERR(cipher);
|
|
|
|
|
|
|
|
*ctx = cipher;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void lskcipher_exit_tfm_simple(struct crypto_lskcipher *tfm)
|
|
|
|
{
|
|
|
|
struct crypto_lskcipher **ctx = crypto_lskcipher_ctx(tfm);
|
|
|
|
|
|
|
|
crypto_free_lskcipher(*ctx);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void lskcipher_free_instance_simple(struct lskcipher_instance *inst)
|
|
|
|
{
|
|
|
|
crypto_drop_lskcipher(lskcipher_instance_ctx(inst));
|
|
|
|
kfree(inst);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* lskcipher_alloc_instance_simple - allocate instance of simple block cipher
|
|
|
|
*
|
|
|
|
* Allocate an lskcipher_instance for a simple block cipher mode of operation,
|
|
|
|
* e.g. cbc or ecb. The instance context will have just a single crypto_spawn,
|
|
|
|
* that for the underlying cipher. The {min,max}_keysize, ivsize, blocksize,
|
|
|
|
* alignmask, and priority are set from the underlying cipher but can be
|
|
|
|
* overridden if needed. The tfm context defaults to
|
|
|
|
* struct crypto_lskcipher *, and default ->setkey(), ->init(), and
|
|
|
|
* ->exit() methods are installed.
|
|
|
|
*
|
|
|
|
* @tmpl: the template being instantiated
|
|
|
|
* @tb: the template parameters
|
|
|
|
*
|
|
|
|
* Return: a pointer to the new instance, or an ERR_PTR(). The caller still
|
|
|
|
* needs to register the instance.
|
|
|
|
*/
|
|
|
|
struct lskcipher_instance *lskcipher_alloc_instance_simple(
|
|
|
|
struct crypto_template *tmpl, struct rtattr **tb)
|
|
|
|
{
|
|
|
|
u32 mask;
|
|
|
|
struct lskcipher_instance *inst;
|
|
|
|
struct crypto_lskcipher_spawn *spawn;
|
2023-09-14 08:28:25 +00:00
|
|
|
char ecb_name[CRYPTO_MAX_ALG_NAME];
|
2023-09-14 08:28:24 +00:00
|
|
|
struct lskcipher_alg *cipher_alg;
|
2023-09-14 08:28:25 +00:00
|
|
|
const char *cipher_name;
|
2023-09-14 08:28:24 +00:00
|
|
|
int err;
|
|
|
|
|
|
|
|
err = crypto_check_attr_type(tb, CRYPTO_ALG_TYPE_LSKCIPHER, &mask);
|
|
|
|
if (err)
|
|
|
|
return ERR_PTR(err);
|
|
|
|
|
2023-09-14 08:28:25 +00:00
|
|
|
cipher_name = crypto_attr_alg_name(tb[1]);
|
|
|
|
if (IS_ERR(cipher_name))
|
|
|
|
return ERR_CAST(cipher_name);
|
|
|
|
|
2023-09-14 08:28:24 +00:00
|
|
|
inst = kzalloc(sizeof(*inst) + sizeof(*spawn), GFP_KERNEL);
|
|
|
|
if (!inst)
|
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
|
|
|
spawn = lskcipher_instance_ctx(inst);
|
|
|
|
err = crypto_grab_lskcipher(spawn,
|
|
|
|
lskcipher_crypto_instance(inst),
|
2023-09-14 08:28:25 +00:00
|
|
|
cipher_name, 0, mask);
|
|
|
|
|
|
|
|
ecb_name[0] = 0;
|
|
|
|
if (err == -ENOENT && !!memcmp(tmpl->name, "ecb", 4)) {
|
|
|
|
err = -ENAMETOOLONG;
|
|
|
|
if (snprintf(ecb_name, CRYPTO_MAX_ALG_NAME, "ecb(%s)",
|
|
|
|
cipher_name) >= CRYPTO_MAX_ALG_NAME)
|
|
|
|
goto err_free_inst;
|
|
|
|
|
|
|
|
err = crypto_grab_lskcipher(spawn,
|
|
|
|
lskcipher_crypto_instance(inst),
|
|
|
|
ecb_name, 0, mask);
|
|
|
|
}
|
|
|
|
|
2023-09-14 08:28:24 +00:00
|
|
|
if (err)
|
|
|
|
goto err_free_inst;
|
2023-09-14 08:28:25 +00:00
|
|
|
|
2023-09-14 08:28:24 +00:00
|
|
|
cipher_alg = crypto_lskcipher_spawn_alg(spawn);
|
|
|
|
|
|
|
|
err = crypto_inst_setname(lskcipher_crypto_instance(inst), tmpl->name,
|
|
|
|
&cipher_alg->co.base);
|
|
|
|
if (err)
|
|
|
|
goto err_free_inst;
|
|
|
|
|
2023-09-14 08:28:25 +00:00
|
|
|
if (ecb_name[0]) {
|
|
|
|
int len;
|
|
|
|
|
2023-10-12 05:11:25 +00:00
|
|
|
err = -EINVAL;
|
2023-09-14 08:28:25 +00:00
|
|
|
len = strscpy(ecb_name, &cipher_alg->co.base.cra_name[4],
|
|
|
|
sizeof(ecb_name));
|
|
|
|
if (len < 2)
|
|
|
|
goto err_free_inst;
|
|
|
|
|
|
|
|
if (ecb_name[len - 1] != ')')
|
|
|
|
goto err_free_inst;
|
|
|
|
|
|
|
|
ecb_name[len - 1] = 0;
|
|
|
|
|
|
|
|
err = -ENAMETOOLONG;
|
|
|
|
if (snprintf(inst->alg.co.base.cra_name, CRYPTO_MAX_ALG_NAME,
|
|
|
|
"%s(%s)", tmpl->name, ecb_name) >=
|
|
|
|
CRYPTO_MAX_ALG_NAME)
|
|
|
|
goto err_free_inst;
|
|
|
|
|
|
|
|
if (strcmp(ecb_name, cipher_name) &&
|
|
|
|
snprintf(inst->alg.co.base.cra_driver_name,
|
|
|
|
CRYPTO_MAX_ALG_NAME,
|
|
|
|
"%s(%s)", tmpl->name, cipher_name) >=
|
|
|
|
CRYPTO_MAX_ALG_NAME)
|
|
|
|
goto err_free_inst;
|
|
|
|
} else {
|
|
|
|
/* Don't allow nesting. */
|
|
|
|
err = -ELOOP;
|
|
|
|
if ((cipher_alg->co.base.cra_flags & CRYPTO_ALG_INSTANCE))
|
|
|
|
goto err_free_inst;
|
|
|
|
}
|
2023-09-14 08:28:24 +00:00
|
|
|
|
|
|
|
err = -EINVAL;
|
|
|
|
if (cipher_alg->co.ivsize)
|
|
|
|
goto err_free_inst;
|
|
|
|
|
|
|
|
inst->free = lskcipher_free_instance_simple;
|
|
|
|
|
|
|
|
/* Default algorithm properties, can be overridden */
|
|
|
|
inst->alg.co.base.cra_blocksize = cipher_alg->co.base.cra_blocksize;
|
|
|
|
inst->alg.co.base.cra_alignmask = cipher_alg->co.base.cra_alignmask;
|
|
|
|
inst->alg.co.base.cra_priority = cipher_alg->co.base.cra_priority;
|
|
|
|
inst->alg.co.min_keysize = cipher_alg->co.min_keysize;
|
|
|
|
inst->alg.co.max_keysize = cipher_alg->co.max_keysize;
|
|
|
|
inst->alg.co.ivsize = cipher_alg->co.base.cra_blocksize;
|
2023-12-21 02:42:57 +00:00
|
|
|
inst->alg.co.statesize = cipher_alg->co.statesize;
|
2023-09-14 08:28:24 +00:00
|
|
|
|
|
|
|
/* Use struct crypto_lskcipher * by default, can be overridden */
|
|
|
|
inst->alg.co.base.cra_ctxsize = sizeof(struct crypto_lskcipher *);
|
|
|
|
inst->alg.setkey = lskcipher_setkey_simple;
|
|
|
|
inst->alg.init = lskcipher_init_tfm_simple;
|
|
|
|
inst->alg.exit = lskcipher_exit_tfm_simple;
|
|
|
|
|
|
|
|
return inst;
|
|
|
|
|
|
|
|
err_free_inst:
|
|
|
|
lskcipher_free_instance_simple(inst);
|
|
|
|
return ERR_PTR(err);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(lskcipher_alloc_instance_simple);
|